GDPR and CASL – They’re NOT the same thing

As the implementation date for GDPR regulations (General Data Protection Regulation, the EU’s digital privacy requirements) on May 25th nears, many companies are making efforts to ensure they’re compliant. Others are still wondering what they need to do or have decided it’s not important.

While most marketers are in the know, I’ve heard a few stories about those who think GDPR and CASL are basically equivalent. They’re not.

GDPR is far more stringent than CASL regulations (Canada’s Anti-Spam Legislation) and has a lot more teeth than CAN-SPAM (the United States’ digital privacy and spam restrictions). If you’re not clear on the rules, here’s a quick summary on GDPR vs. CASL.

At this point I will state that I am not a lawyer, Openprise and its employees are not authorized to provide legal advice, and you should seek input from your company’s legal team for your institutional policy and compliance requirements.

That done, on with GDPR vs CASL highlights:


Canada’s restrictions primarily focus on the sending of email and digital applications. It is meant to protect Canadian citizens from unsolicited email (SPAM) and from malware, as it makes sending a malware app a criminal offense.

For email, if someone requests information about a product or service, there is implied consent. That is, the company receiving the request can assume that the individual knows they’ve been added to a list and will probably be marketed to. That implied consent lasts 6 months. If there is a business relationship, such as the purchase of a product, the implied consent is 2 years.

Explicit consent is if an individual knowingly and actively signs up for email from the company, for example completing a subscription form. Explicit consent also expires in 2 years.

Because of the durations of the consent, it’s important for companies to retain the date and time that the consent was given. This can be accomplished, for example, with hidden fields on forms from marketing automation platforms and overwritten when consent is renewed, such as the renewal of a contract or the completion of a new form. It is also beneficial to keep track of the method of consent, for example which form and for which asset, if it’s for a form on your website, so you can provide the details if requested by a legal body.

At one point, the CASL requirements stated that individuals would be able to pursue lawsuits against companies for spam, but this provision was removed shortly before it was going to be enacted in 2017. So you don’t need to worry about that anymore, but you do need to worry about emailing residents of Canada, as the government of Canada has already fined several businesses for violations, to the tune of tens of thousands of dollars.

Official legal information about CASL can be found at


GDPR is the formalization of the European Union’s spam and privacy laws. Until it was enacted, each EU country was interpreting the laws in a different way, leading to confusion in the economy body. The laws have been strengthened, clarified, and will now be consistent across EU countries. Because it is a directive, the individual countries do not need to ratify it and it goes into effect immediately. It becomes enforceable on May 25, 2018. NOTE: Keep an eye out for what the UK does when Brexit is achieved.

GDPR addresses not only email, but digital cookies and the retention and storage of personal information about EU citizens, such as name, email address, corporate affiliation, social handles, and other details. There are stringent encryption requirements for data about EU citizens, regardless of where the corporate entity is located. If you’re at an American company and EU citizens visit your website and could be cookied by your marketing automation or personalization software, you need to be concerned with GDPR.

For email, GDPR requires an explicit opt-in. Because first opt-in can be unreliable and undocumented, for example at trade shows and in-person meetings, a double opt-in process is recommended. For cookies, EU citizens must actively accept cookies when they visit a site, otherwise no cookie may be used. If you’re storing data in your CRM, make sure you and your legal team have determined the requirements around the retention of data. This goes for products where people log into platforms as well.

GDPR also provides individuals with the Right of Erasure, which means that they can request that all their data be deleted, under certain circumstances. Keep that in mind for your CRM and marketing automation databases.

GDPR fines can be up to €20 million or up to 4% of annual worldwide revenue for the offending company, whichever is greater.

Official legal information about GDPR can be found at

If legal documents aren’t your thing, you can also watch our webinars: GDPHuh? A Data-Driven Marketer’s Guide to GDPR and Austin Marketo User Group Presents: GDPR 201: What to Do Next.

Taking Action: practical help

Again, your company’s legal team is your source for guidance on compliance with these regulations. That said, a lot of teams have guidance, but are now trying to figure out how to comply.

If your database today is incomplete and you can’t distinguish EU citizens and Canadian citizens from others who are not subject to these regulations, you’ll be unable to comply. Additionally, you’ll need your website to be cookie compliant for those visiting your site from specific geographies and spam compliant for others. Your first task will be to distinguish your GDPR and CASL leads from all the others, and we can help. Read our datasheet on our solution for complying with GDPR to understand the steps you can take, before GDPR is enforced.

Leave a comment